From a6ac3a731259bb613c37ea142284d706acf0660d Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Sat, 23 Sep 2023 16:57:09 +0100
Subject: [PATCH] Add planet::aws recipe to configure awscli for planet uploads

---
 .github/workflows/test-kitchen.yml            |  1 +
 .kitchen.yml                                  |  3 ++
 cookbooks/planet/recipes/aws.rb               | 44 +++++++++++++++++++
 cookbooks/planet/recipes/default.rb           |  2 +-
 cookbooks/planet/recipes/notes.rb             |  2 +-
 cookbooks/planet/recipes/replication.rb       |  2 +-
 .../planet/templates/default/aws-config.erb   |  8 ++++
 .../templates/default/aws-credentials.erb     |  7 +++
 test/data_bags/planet/aws.json                |  4 ++
 9 files changed, 70 insertions(+), 3 deletions(-)
 create mode 100644 cookbooks/planet/recipes/aws.rb
 create mode 100644 cookbooks/planet/templates/default/aws-config.erb
 create mode 100644 cookbooks/planet/templates/default/aws-credentials.erb
 create mode 100644 test/data_bags/planet/aws.json

diff --git a/.github/workflows/test-kitchen.yml b/.github/workflows/test-kitchen.yml
index 1e0f44322..95cbdc878 100644
--- a/.github/workflows/test-kitchen.yml
+++ b/.github/workflows/test-kitchen.yml
@@ -84,6 +84,7 @@ jobs:
           - php-apache
           - php-fpm
           - planet
+          - planet-aws
           - planet-current
           - planet-dump
           - planet-notes
diff --git a/.kitchen.yml b/.kitchen.yml
index 3d9674533..5795b9c7f 100644
--- a/.kitchen.yml
+++ b/.kitchen.yml
@@ -298,6 +298,9 @@ suites:
   - name: planet
     run_list:
       - recipe[planet::default]
+  - name: planet-aws
+    run_list:
+      - recipe[planet::aws]
   - name: planet-current
     run_list:
       - recipe[planet::current]
diff --git a/cookbooks/planet/recipes/aws.rb b/cookbooks/planet/recipes/aws.rb
new file mode 100644
index 000000000..cd4444690
--- /dev/null
+++ b/cookbooks/planet/recipes/aws.rb
@@ -0,0 +1,44 @@
+#
+# Cookbook:: planet
+# Recipe:: aws
+#
+# Copyright:: 2023, OpenStreetMap Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+include_recipe "accounts"
+include_recipe "awscli"
+
+aws_credentials = data_bag_item("planet", "aws")
+
+directory "/home/planet/.aws" do
+  owner "planet"
+  group "planet"
+  mode "0755"
+end
+
+template "/home/planet/.aws/config" do
+  source "aws-config.erb"
+  owner "planet"
+  group "planet"
+  mode "0644"
+end
+
+template "/home/planet/.aws/credentials" do
+  source "aws-credentials.erb"
+  owner "planet"
+  group "planet"
+  mode "0600"
+  variables :credentials => aws_credentials
+end
diff --git a/cookbooks/planet/recipes/default.rb b/cookbooks/planet/recipes/default.rb
index 23dc7bdbf..412ec7cdb 100644
--- a/cookbooks/planet/recipes/default.rb
+++ b/cookbooks/planet/recipes/default.rb
@@ -19,7 +19,7 @@
 
 include_recipe "accounts"
 include_recipe "apache"
-include_recipe "awscli"
+include_recipe "planet::aws"
 include_recipe "munin"
 
 package %w[
diff --git a/cookbooks/planet/recipes/notes.rb b/cookbooks/planet/recipes/notes.rb
index 57682bead..1ca5f323b 100644
--- a/cookbooks/planet/recipes/notes.rb
+++ b/cookbooks/planet/recipes/notes.rb
@@ -18,8 +18,8 @@
 #
 
 include_recipe "accounts"
-include_recipe "awscli"
 include_recipe "git"
+include_recipe "planet::aws"
 
 db_passwords = data_bag_item("db", "passwords")
 
diff --git a/cookbooks/planet/recipes/replication.rb b/cookbooks/planet/recipes/replication.rb
index 364e0b814..d5a8485d7 100644
--- a/cookbooks/planet/recipes/replication.rb
+++ b/cookbooks/planet/recipes/replication.rb
@@ -22,9 +22,9 @@ require "yaml"
 include_recipe "accounts"
 include_recipe "apt"
 include_recipe "osmosis"
+include_recipe "planet::aws"
 include_recipe "ruby"
 include_recipe "tools"
-include_recipe "awscli"
 
 db_passwords = data_bag_item("db", "passwords")
 
diff --git a/cookbooks/planet/templates/default/aws-config.erb b/cookbooks/planet/templates/default/aws-config.erb
new file mode 100644
index 000000000..d62dcdad9
--- /dev/null
+++ b/cookbooks/planet/templates/default/aws-config.erb
@@ -0,0 +1,8 @@
+[profile osm-pds]
+region = eu-central-1
+
+[profile osm-pds-upload]
+region = eu-central-1
+s3 =
+    max_bandwidth = 75MB/s
+    max_concurrent_requests = 512
diff --git a/cookbooks/planet/templates/default/aws-credentials.erb b/cookbooks/planet/templates/default/aws-credentials.erb
new file mode 100644
index 000000000..40ec32c22
--- /dev/null
+++ b/cookbooks/planet/templates/default/aws-credentials.erb
@@ -0,0 +1,7 @@
+[osm-pds]
+aws_access_key_id = AKIAZFVRMSDZE2DANIFS
+aws_secret_access_key = <%= @credentials["osm-pds"] %>
+
+[osm-pds-upload]
+role_arn=arn:aws:iam::630658470130:role/osm-pds-upload-role
+source_profile=osm-pds
diff --git a/test/data_bags/planet/aws.json b/test/data_bags/planet/aws.json
new file mode 100644
index 000000000..787bf1c54
--- /dev/null
+++ b/test/data_bags/planet/aws.json
@@ -0,0 +1,4 @@
+{
+  "id": "aws",
+  "osm-pds": "osm-pds"
+}
-- 
2.45.2